███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

WannaCry

ransomware2 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

WannaCry

CATEGORY:

RANSOMWARE

DESCRIPTION:

WannaCry is a ransomware cryptoworm that spread rapidly across computer networks in May 2017. It exploited the EternalBlue vulnerability in Microsoft Windows systems and was attributed to the Lazarus Group.

ALIASES:

WannaCryptWCryWana Decrypt0r

TAGS:

cryptowormself-propagatingsmb_exploitfile_encryptionkill_switch

[MUTEX_SIGNATURES](2)

[MUTEX_01]

MsWinZonesCacheCounterMutexA

ANALYST: @adhikara13 DATE: 2025-01-09

REFERENCES:

https://www.group-ib.com/blog/echoes/

[MUTEX_02]

Global\MsWinZonesCacheCounterMutexW

ANALYST: @adhikara13 DATE: 2025-01-09

REFERENCES:

https://www.elastic.co/blog/wcrywanacry-ransomware-technical-analysis

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠Lazarus Group (North Korea)

FIRST_OBSERVED:

2017

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:2

THREAT_ACTORS:1

ALIASES:3

TAGS:5

CATEGORY:RANSOMWARE

Malware profile loaded successfully